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Abstract. The diffcrcntial-phasc-shift quantum key distribution protocol is 
formalised as a prepare-and-measure scheme and translated into an equivalent 
entanglement-based protocol. A necessary condition for security is that Bob's 
measurement can detect the entanglement of the distributed state in the entanglement- 
based translation, which implies that his measurement is described by non-commuting 
POVM elements. This condition is shown to be met. 
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1. Introduction 

Quantum key distribution (QKD) is a means of distributing a secure key between two 
parties, traditionally Alice and Bob, who wish to communicate privately pfl E]- The 
security of the resulting shared key is independent of a potential eavesdropper's com- 
putational and technological power, if used as a one-time pad [3]. 

In 'prepare-and-measure (P&M)' terminology, a QKD protocol involves Alice preparing 
a set of quantum states into which a sequence of symbols has been encoded. These states 
are then sent to Bob via a quantum channel, who performs a measurement that serves 
to decode the signal and estimate the noise introduced by the channel, which is con- 
servatively attributed to eavesdropping [2]. A general QKD protocol can be described 
equivalently as an entanglement-based (EB) scheme p[], involving the preparation of a 
bipartite entangled state. When Alice performs a measurement on her subsystem, she 
effectively prepares the same set of quantum states described in the P&M picture, which 
is then measured by Bob with the same measurement. 

In both the P&M and in the equivalent EB scheme, a public classical channel, of which 
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Alice and Bob are the authenticated users, is subsequently employed to filter a secure 
key out of the initial sequence of symbols. The classical data produced in a secure 
QKD protocol must imply non-classical correlations [5] between the systems held by 
Alice and Bob in the EB translation. Therefore, a necessary condition for the security 
of a QKD protocol is that the measurements performed by Alice and Bob in the EB 
translation must detect entanglement in the effectively distributed state [6], which in 
turn implies that Bob's measurement must consist of non-commuting POVM elements 
(see Appendix). 

QKD protocols can be divided into three classes: discrete- variable (DV), continuous- 
variable (CV) and distributed-phase-reference protocols [2J. Differential-phase-shift 
(DPS) QKD is an example of a distributed-phase-reference protocol. 

The form of DPSQKD discussed here was proposed in 2003 by Inoue et al. |7J as a 
scheme offering a higher key creation efficiency than conventional fibre-based BB84. In 
2006 Waks et al. [8] derived a proof of the security of DPSQKD under the assumption 
that Eve is restricted to individual attacks. They showed that individual attacks are 
more powerful than certain so-called sequential attacks, thus ensuring security against 
this form of attack also. In the same year Diamanti et al. [U] reported an implementa- 
tion of DPSQKD secure against individual attacks over 100km. In 2007 Tsurumaru [ID] 
introduced an improved version of the aforementioned sequential attack that decreases 
the distance over which DPSQKD is secure to less than 95km, thus rendering the above 
implementation insecure. In 2009 Ma et al. [TT] reported an experimental realisation 
of DPSQKD using superconducting single-photon detectors, with a quantum bit error 
rate of less than 4%. Later in 2009, a proof of the unconditional security of a protocol 
related to DPSQKD, using single photons instead of coherent pulses, was published [12]. 
However, this proof does not imply the unconditional security of the original DPSQKD 
protocol. 

There are a number of practical advantages to DPSQKD, namely: its suitability for 
fibre transmissions; use of readily available telecommunication tools; no requirement for 
a single photon source (the generated states are assumed to be easily produced coherent 
states) and thus high communication efficiency. However, bounds for the unconditional 
security of DPSQKD, and other examples of distributed-phase-reference protocols like 
the coherent-one-way (COW) protocol [13], [H], have not yet been found. 

A number of techniques have been used to show the unconditional security of DV pro- 
tocols [TJ)1 EH El HE], and security proofs for CV protocols are developing to a similar 
level |19j . For DV and CV protocols, the notion of virtual entanglement plays an es- 
sential role in security proofs based on entanglement distillation which are applied to 
the EB version. The same security proofs then also directly apply to the equivalent 
P&M scheme. Note that the EB version is not necessarily implemented (hence the word 
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'virtual'), but serves as a theoretical tool owing to its equivalence to the P&M scheme. 

An EB translation of a P&M QKD protocol where the precondition for security on 
Bob's measurement is satisfied, is a necessary first step towards a potential uncondi- 
tional security proof for the protocol based on entanglement distillation. The purpose 
of this paper is to propose and formalise an EB translation of DPSQKD, as well as 
to show that Bob's measurement contains non-commuting POVM elements. This is a 
necessary condition for the unconditional security of the EB translation. 

This paper is organised as follows: In section 2 of this article, DPSQKD is described 
as a P&M scheme. In section 3 the P&M description of DPSQKD is translated into 
an equivalent EB scheme. In section 4 a necessary requirement for security- that Bob's 
measurement is described by non-commuting POVM elements- is shown to be fulfilled. 

2. DPSQKD as a P&M Scheme 

A general P&M protocol specifies a quantum state ^(S*)) that encodes a sequence of 
N symbols S = {s 1; sjy} prepared by Alice. In CV and DV protocols, |^ f (5')) can 
be written in tensor product form where there is a one-to-one correspondence between 
each symbol and each state \tp(si)) that encodes that symbol: 

N 

MS)) = ®W*)>- (i) 
i=i 

The Sj's are independent, and the state sent in each time interval % can therefore be 
considered independently as the state \ip(si)). Note that the states \ip(si)) must be 
non-orthogonal since a set of orthogonal states can be perfectly copied by a potential 
eavesdropper. 

In DPSQKD Alice prepares a sequence of N + 1 symbols S' = {s' , s' N }, s- G {0, 1}, 
according to which she modulates the phase of each of N + 1 attenuated coherent pulses 
by {0, 7r}. The pulses are separated by time At. After modulation the phase of the i th 
pulse is given by 0, = s'fi. From the bit string S' Alice calculates the potential key 
bit string S via the relation Sj = s' i _ l + s\, where addition is modulo 2. Let the time 
intervals in which Alice sends the pulses be denoted by i = 0, N. The quantum state 
\^(S'))dps that encodes the sequence S' can then be written as a tensor product 

N 

MS , ))dps = ®\{-1)<<x). (2) 

i=0 

The requirement of non-orthogonality of the states (^(^D) (compare with \ip(si)) from 
Eq. (1)) is met, since the coherent pulses have an average photon number \a\ 2 of less 
than one. 

The state sent in each time interval % can be considered independently if written (as 
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Figure 1: QKD system for the implementation of the DPSQKD protocol. LASER: coherent 
light source, ATT: attenuator, PS: phase shifter, BS: symmetric beamsplitter, D: detector. 
The i th incoming pulse is split at BSi. The part which propagates on path 3 arrives at BS2 
simultaneously with the part of the (i + l) th pulse coming from path 2. 



above) as |(— ly^a). Here there is a one-to-one correspondence between each symbol s\ 
and each state IV^O) encoding that symbol, but since the consecutive elements of S are 
not independent there is no such correspondence between potential key bits and pre- 
pared states, as in the general case. And this is the reason existing methods of proving 
unconditional security cannot be applied to the DPSQKD protocol, since they rely on 
the mutual independence of all potential key bits. However, the form of Eq. (2) allows 
a formulation of P&M DPSQKD as an equivalent EB scheme. 

Subsequent to Alice's preparation and sending of the state to Bob in a general 

P&M scheme, Bob performs a measurement which decodes the states. Measurement re- 
sults contribute to the key, but are also used to estimate the loss of quantum coherence 
in the sent state. 



In DPSQKD Bob's measurement is initiated at a time At after the first pulse has 
entered his interferometer, i.e., in time interval % — 1, and there is the possibility of a 
detection event that can contribute to the key in this and subsequent time intervals up 
to % = N. The transformation of ^(S^-Dps in Bob's interferometer forms part of his 
measurement (see Fig. 1) and is described by the following transformations: 

The incoming pulses enter symmetric beam splitter 1 (BSi) in the path labelled and 
are described by field operators Oq, while path 1 contains vacuum. The beam splitter 
transformation for in terms of operators a\ and a\ for the output paths labelled 2 
and 3 is 

at^-^flt+e-^^aj. (3) 

Transformations for symmetric beam splitter 2 (BS 2 ) in terms of operators a\ and a\ 
for the output paths labelled 4 and 5 are given by 

4- R CO 1 J- :± 1 J- 
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al B 4 2 e-^^=a\+^=al (5) 

The total action of the interferometer is described in terms of the creation operators for 
each time interval i for the signals entering Bob's interferometer in path 0, 4\ and the 
two outgoing paths, and a§. 

= htfi - e^a\ l + af +1) + e^af +1) ), (6) 

where the beam splitters are chosen such that their relative phase shifts compensate 
the phase shift associated with the time delay At in the upper arm of the interferome- 
ter i.e., 0i + 02 = 0At- This time delay must be equal to the time separation between 
incoming pulses in path 0, so that components of consecutive pulses can interfere at BS2. 

If Alice sends the state \${S'))dps, the state \^>' {S')) dps entering Bob's detectors in 
time intervals i in paths 4 and 5 after transformation in the interferometer, is expanded 

as 

N 1 1 

\V'(S')) DPS = (g)|-a(e* +e^- 1 ))\\-ae^(e i * i -e^" 1 ))^ 
i=i 2 2 

N , 1 

2 a((-l)< + (-l)<-i))i\- ae ^((-l)< - (-l)-J-i)>*, 

(7) 



i=i 



recalling that 0j = s^n. 

Bob uses detectors D and D\ that discern vacuum from one or more photons (so- 
called bucket detectors), in paths 4 and 5, respectively. A detector 'click' will occur 
when one or more photons are detected. For an incoming coherent state |/3) 4 (|/3) 5 ), 
detector D (Di) will click with probability 1 — e - ^ 2 . These probabilities depend on 
the phase modulation performed by Alice, which is determined by the bit string S'. For 
+ s^_ : — Si — 0(1), the probability of Di(Dq) clicking is zero, and hence a click in 
Dq(Di) corresponds to the potential key bit s« = 0(1). This situation is summarised in 
Table 1. 



Note, the probability of a detector firing is independent of the phase, and there- 
fore Bob cannot distinguish the two states \a) 1 and | — a) 1 that correspond to one Sj. 

Bob then utilises the authenticated classical channel to communicate to Alice the time 
intervals %* in which he recorded a detection event in one of his detectors (which is not in 
every time interval since the average photon number \a\ 2 per pulse is less than one). In 
the error-free case, this process serves to filter a secure key S* out of the initial sequence 
S, since for each i* Alice and Bob can add an identical bit, s,*, to the secure filtered 
key. 
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Table 1: DPSQKD detection and key extraction table: A coherent state |/3) 4 (|/3)s) results 
in detector Dq{D\) clicking with probability 1 — e - '' 3 ' . These probabilities depend on 
the phase modulation performed by Alice, which is determined by the bit string S' . For 
s'i + 4-1 = s i = 0(1), the probability of D\{Dq) clicking is zero, and hence a click in Dq{D\) 
corresponds to the potential key bit Si = 0(1). 



3. DPSQKD as an EB Scheme 

The existence of equivalent EB translations for P&M QKD schemes was first shown 
by Bennett et al. [I]. In the EB translation of a general P&M protocol, the bipartite 
entangled state 

\*)ab = ^L'E\S)a®MS))b (8) 
Vl) s 

is prepared, where D is the number of possible S sequences and the states \S)a form an 
orthogonal basis for the D-dimensional space. By measuring in this basis, Alice learns 
one sequence S and the corresponding (^/(S 1 )) is effectively sent to Bob, who performs 
an identical measurement to that performed in the P&M scheme. 

Since the Sj's are independent (and let them be of an alphabet of size d), \&)ab can also 
be written as 

\^AB = <S>(^T,\^A®ms l ))B] (9) 

i=o \ Vd s . ) 
where the states \si) form an orthogonal basis for a rf-dimensional space. 

In the EB translation of DPSQKD, the bipartite entangled state 
|$ dps)ab = -jL= E \ s ')a ® (\V(S'))dps)b 



S' 

N 



+ gi i=0 



is prepared. 



The total entangled state \&dps)ab can also be written as 



A' 



|$ dps)ab = ® I 4= E ® WJ)b 

i=0 g j =0 ,l 
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= ® \sdA®\(-l)<a) B ) 

i=0 \V Z 8 J=Q,1 / 
N ( 1 V 

= <S> [^^ A ® + l 1 )^® I - a) s }J , (11) 

where the states |0) and |1) form the arbitrary orthogonal basis in which Alice measures, 
and correspond to = or 1 respectively. Again, there is a one-to-one correspondence 
between each and each state ^(s'j)) encoding that symbol, although the potential key 
bits Si are not independent of each other. 

Consequences of this non-independence are that Alice must keep track of the time 
intervals to which her measurement outcomes correspond, thus incrementally building 
her knowledge of the string S via the relation Sj = s' i _ 1 + s^. Subsequent to Alice's 
projections in the arbitrary orthogonal basis {|0), |1)} performed on her subsystem, the 
resulting string of attenuated coherent pulses that form Bob's subsystem must be sep- 
arated by the same time delay associated with the delay in Bob's interferometer, At. 
Bob learns a fraction \a\ 2 of the Sj's in string S by interfering consecutive pulses to 
learn their relative phases. He performs the same total measurement as in the P&M 
description. 

4. Bob's Measurement 

Bob's measurement can be described conveniently in the framework of generalized 
measurements, where the measurement statistics are given by a positive-operator valued 
measure (POVM) [20]. The POVM associates with each measurement result j, a positive 
operator Ej, termed an effect or POVM element. The expectation value of the effect 
Ej determines the probability to obtain result j: 

Pj = ^\E^), (12) 

where is the state of the system considered just before the measurement is carried 
out. The effects satisfy J2j Ej = I, where I is the identity operator, in order to guarantee 
that the probabilities sum up to unity. In this formalism, common projection measure- 
ments of quantum mechanical observables are described by effects which are mutually 
commuting projectors onto the eigenspaces corresponding to the measurement results. 
In general, e.g. for indirect projection measurements, the effects are neither projectors 
nor do they commute. 

A necessary requirement for the shared bit string to be secret is that the performed 
measurements must be able to detect entanglement in the state effectively distributed 
between Alice and Bob in the EB scheme [S]. This is not possible if Bob's measurement 
results correspond only to mutually commuting effects (see Appendix). This condi- 
tion applies also to the P&M version of any QKD protocol, where the measurements 
must be the same as in the equivalent EB transcription. In an intercept-and-resend 
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attack on a P&M protocol where Bob's measurement is described by only commuting 
effects, an eavesdropper could measure an observable which commutes with all of Bob's 
effects without changing the statistics of Bob's measurement and thus remain unde- 
tected. Therefore, a precondition for security is that some of the effects constituting 
Bob's measurement must be non-commuting. 

In DPSQKD Bob's measurement is associated with a total number 2 2N of possible 
results and as many corresponding effects, since in the time intervals % G {l,...,iV}, 
he projects onto either vacuum (no click) or a one-or-more photon state (click) in each 
of two detectors, D and D\. He obtains an average of |a| 2 iV detection events which 
contribute to the key. The effects constituting Bob's measurement are written as follows: 

Gi = |0>i(0| ® \0) l 5 (0\ ® |0)1(0| ® |0>i<0|... ® |0)f (0| ® |0)f (0|, 

oo 

G2 = E ® 10)5(01 ® |0>I(0| ® |0>g(0|... ® |0)f (0| ® |0)f (0|, 

n=l 

00 

G 3 = \0)l(0\ ® |0>|<0| ® |0>i<0| ® £ \n)l(n\... ® |0)f <0| ® |0)f (0|, 

n=l 

00 00 00 00 

G 22 ,v = E |n)i<n| ® E |n)i<n|... £ |< (n| ® E KH (13) 

n=l n=l n=l n=l 

Bob's measurement is thus seen to be a degenerate projection measurement of photon 
number, where [Gi,Gj] = for all i,j, since the inner product of vacuum with a one- 
or-more photon state is always zero. It is easy to show that this result does not change 
if Bob's interferometer is considered as part of his measurement apparatus. Since the 
action of an interferometer is unitary, the result for the transformed effects remains 
the same: [WGiU, U^GjU] = 0. At this point the protocol appears to be insecure! In 
the remainder of this section it will be shown that the necessary condition on Bob's 
measurement- the non-commutativity of effects- nevertheless is met. 

For this purpose, recall that Bob's interferometer has two input paths (path and 
path 1, see Fig. [I]). Only path is populated, it carries the light sent by Alice in state 
\ip)o '■= \^(S'))dps (see Eq. (J2])), while path 1 contains the vacuum state |0)o at all 
times. When including the interferometer in Bob's measurement, the probability to ob- 
tain any result j G {1, 2..., 2 2N } can be expressed by means of the state |5) := |^)o® |0)i 
of the light entering the interferometer as: 

p J = (~\U^G J U\Z) = ^\E 3 \^) (14) 

with 

E j := 1 (0\tfG j U\0) 1 . (15) 

While the action of the interferometer is represented by the operator U which maps the 
incoming state in paths and 1 to the the outgoing state in paths 4 and 5, the new 
effects Ej are operators that act only on states in path 0. The expectation value with 
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respect to the vacuum state in path 1 reduces the action of the operator WGjU to the 



subspace of states in path 0, similarly to a partial trace. According to Eq. (14), the 
probability for any of Bob's measurement results can thus be expressed only in terms 
of the state sent by Alice using effects Ej. It is well known that such a reduction of a 
projection-valued measure (PVM) as given by the effects WGjU can result in a POVM 
with non-commuting effects. In fact, any POVM can be represented as a projection of 
a PVM acting on a higher dimensional Hilbert space (see the Theorem of Neumark [2"Tj). 

Indeed, the resulting effects Ej are not all mutually commuting and therefore satisfy 
the necessary condition for security. Consider, for example, the effects E 2 and E 3 that 
correspond to a click in Dq in time interval 1 and a click in D\ in time interval 2, 
respectively: 

OO 1 

E 2 = ^OlrfGtUMi = £ — (al° + aj 1 )"|0)(0|(a° + (16) 

n=l 4 n - 

oo i 

E 3 = 1 (0\U^G S U\0) 1 = £ -— (aj 1 - of r|0)<0|(fiS - a 2 )™ (17) 

m=l 4 m - 

The commutator [E 2 , E3] is given by: 

00 1 00 1 

3d = E 7^(4° + 4 1 )"|0)T £ ^(OKaJ - ag)™ 

n=l ' m=l 

00 1 00 1 

- E -4riO)TE ^(01^ + ajr, (18) 

m=l 4 n=l 4 ' 4 - 

where the term T is defined and evaluated as: 

t = (oKag + aSH^-aPno) 



n m 



= EE Q ^(-^'(oKa^-^a^^at 1 )^^ 2 )^) 

= n\, (19) 
with n = m = k and / = 0. 

Note that T = T* is a non-zero real number. 
The commutator [E 2 , E3] is then given by: 

x {(-l) fc (a t °)^(G t 1 )'|0)(0|(aJ) w - fe (a 2 ) fe 

- C-i) , (aS 1 ) w - I (aS a ) l |o><o|(ag)»-*(a5)*> 

^ 0. (20) 

Since the operators a^ , a^ 1 and a^ 2 act on different Hilbert spaces, the matrix ele- 
ments do not cancel. Therefore all terms in the sum are non-zero. 
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It has therefore been shown that there do exist non- commuting effects in Bob's mea- 
surement in the EB translation of DPSQKD, i.e., [E 2 ,E 3 ] ^ 0, which is a necessary 
requirement for the detection of entanglement in the effectively distributed state. The 
protocol has thus been shown to satisfy a necessary condition for security, i.e. that 
Bob's measurement involves non-commuting effects. 

5. Conclusion 

DPSQKD, an example of a distributed-phase-reference protocol, has here been described 
firstly as a P&M scheme, and secondly translated into an EB scheme, thus fitting into 
the framework of description for a generic QKD protocol as outlined by Scarani et 
al. [2]. DPSQKD has been shown to satisfy a necessary condition for security, i.e., 
Bob's measurement involves non-commuting effects. The EB translation of DPSQKD 
formalised here, together with the proof that the necessary condition for security is met, 
can be considered a first step towards a potential unconditional security proof for the 
protocol based on entanglement distillation. 
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Appendix 

A theorem by Curty, Lewenstein and Lutkenhaus [6] states the following: 
Entanglement as a precondition for secure QKD 

A necessary precondition for a set of POVM elements F a cg> Gb together with the proba- 
bility distribution of their occurance P(A, B) to lead to a secret key via public commu- 
nication is that the presence of entanglement in the effectively distributed state \iP)ab 
can be detected via an entanglement witness W = J2ab c abF a ® Gb with c a b real such that 
Tr{Wa) > for all separable states and Tr(Wp) < for at least one entangled state. 

Suppose W = J2ab c abF a ® Gb is an entanglement witness with c a b real such that 
TriWa) > for all separable states and Tr(Wp) < for at least one entangled state, 
and that F a and Gb are Alice and Bob's POVM elements in a QKD protocol. Assume 
that in each time interval Alice projects onto the set of orthogonal states \A), and that 
Bob projects onto the set of orthogonal states \B). Then W is diagonal in the basis 
{\A)a,\B)b}: 

W = J2^ab\A) a (A\®\B) b (B\. (21) 

A,B 
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Since W is a witness and Tr(Wa) > for all separable states \ip sep ), it follows that for 

\*Psep) = \a) A \P} B 

(ip S ep\W\i; sep ) > 

HaW\b ® E ^ab\A) a {A\ ® \B) B (B\ <g> |a) A |/3) B > 

AS 

J2 X Ma\A)W\B)(a\A)(p\B) >0 

=> A a/3 > V a, /3 (22) 

Since has diagonal representation I^Aj|i}(i| with Aj non-negative, IV is a positive 
operator. Therefore (^l W > for all including all entangled states and W can- 
not be an entanglement witness. As a result a witness of entanglement in the effectively 
distributed state cannot be constructed, and the protocol cannot lead to a secret key 
via public communication. 

In the EB translation of a P&M protocol, Alice is assumed to project onto a set of 
orthogonal states, therefore a necessary condition on the elements of Bob's POVM is 
that they should not all commute. 
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